Platforms vs. Point Solutions

Founded Dates of CNAPP Providers

One recurring discussion in cybersecurity is the relative value of platforms versus point solutions. Conveniently enough, every platform provider thinks platforms are what the people really want; conversely, every point solution thinks platforms are an awful value proposition.

The truth lays somewhere in the middle: customers need their security challenges solved, and if a single solution solves multiple problems, it’s going to be an easy win. However, Lacework’s huge devaluation and sale to Wiz demonstrates that just “being a platform” with a large set of features isn’t the same thing as solving customer problems.

On paper, Lacework had substantially more features than Wiz. They support all the same scanning, plus some, and have had agent based runtime detection for a much longer time. However, all of these features were built around a UX that people didn’t want, namely the idea that every finding should turn into an alert; and over time customers didn’t want more alerts, they wanted less of them. Customer’s don’t go on the market looking acquire sets of features, they go looking to solve problems.

Table of Contents

• How CNAPP Evaluations Happen

• The State of Platforms

  • Platforms outside of CNAPP

How CNAPP Evaluations Happen

When I’ve ran CNAPP evaluations, it’s always been in the context of solving specific difficulties our security team was running into. Once I was focused very much on vulnerability management, another I was focused specifically on Kubernetes security, and in another was looking primarily for cloud visibility.

Each time I’ve run a CNAPP evaluation, I’ve selected a different tool, because different businesses have different challenges. This goes against wisdom in other categories - typically users who get used to a particular software will become advocates as they go from job to job. Someone who likes Slack more than Teams for communications isn’t going to magically change their mind because they’re at a different company. Same with something like comparing SIEMs like Splunk and SumoLogic. CNAPP differs as a category because it’s simply too many use cases squeezed into a single tool.

As an example, if you need cloud visibility and container detection response, Sysdig is the easiest recommendation you can possibly make. The other providers certainly have added enough that they can say they “do Kubernetes protection,” but not nearly enough that they’re at all competitive with Sysdig on it. The discussion really becomes if the CSPM visibility aspects of Sysdig make up for any deficiencies against Kubernetes focused solutions like Armo, Rad, and Upwind.

Conversely, if your main issue is vulnerability scanning production workloads of mixed container and host environments, Wiz and Orca quickly become the most flexible options. Even though most tools now “support” agentless scanning, the level of maturity here is wildly different. The problem was never the feature of agentless scanning itself, it was the ease of doing vulnerability and asset management - one piece of which was agentless scanning.

CNAPP has a unique challenge: their customers are all coming to them to solve radically different problems. Ironically, none of their problems are, “I really need a CNAPP!” Shoving more and more things into a single tool doesn’t solve a single customer problem. The goal is not to build a feature for every deal you ever lost; rather its figuring out if someone benefits from having these set of features in the same place?

It’s obvious to me how CNAPP got here: the starting point was, “everything you need to secure the cloud.” But with hindsight, we can see more clearly that the cloud is just a datacenter with an API, and it’s really been about visibility and protection for the workloads all along.

The State of Platforms

I’ve also noticed that each of these tools really remain competitive only in what they started as. Sysdig started as a container visibility and monitoring solution, Lacework started as a cloud baselining solution, Aqua as a container security solution, Orca as agentless visibility, Prisma as Cloud API scanning and container security duct taped together, and Wiz as agentless infrastructure security. None of these tools have managed to meaningfully overtake a competitor in what they started as: Aqua still has the container vulnerability scanner that powers half the other ones, Sysdig still has the best container runtime security, etc.

The problem these platforms face is that their valuations are all artificially inflated: they’ve been funded as though they all provide the same service, when in reality they’re all pretty different. Wiz’s hyper growth is about their ability to provide cloud asset management and vulnerability scanning in the easiest way possible - a nearly universally needed functionality. Yet everyone has fundraised as though they’re doing the exact same thing. Now everyone “sort of” offers agentless scanning, API access to data, Data scanning, IAM management - they’re chasing each other into irrelevancy.

Unfortunately, these companies have mostly used their additional funding to desperately try and offer the features of their competitors, instead of doubling down into their use case. And it’s hard to blame them, because they fundraised off of the “CNAPP market” as a whole, they’re stuck trying to play feature catch up. The most successful CNAPPs will be those who kept modest valuations and have continued to build to their use cases.

Platforms outside of CNAPP

How does this relate to other platform approaches, like ASPM? Unlike CNAPP, I think all of the ASPM features we’re currently seeing bundled actually make sense to be there - which is why CSPM existing in Ox and Aikido tells me a lot about how they understand the goals. Adding CSPM to ASPM makes no sense from a marketing perspective - most people buying ASPM will already have a CNAPP, and the ASPM version of CSPM will not be as good. Furthermore, none of these companies are trying to fundraise off of the “cloud security” market as a whole.

Instead, these ASPM providers include CSPM scanning because it provides developers some much needed context about the deployed state of their application, and gives essential information to fix terraform related alerts. This is why CSPM makes sense as part of ASPM, but not vice versa - solving the customer problem of “I have too many scanners and can’t fix anything” requires cloud context, but solving the problem of “cloud visibility” doesn’t require code scanning.

This is why I love seeing developments like Rad and Armo creating endpoint agents, they’ve recognized that even though these features will be hard to market against CNAPP, they’re essential to solving the customer problem. Products that solve real customer problems will always overcome the marketing difficulty perceived competitive differences.

At the end of the day, we should only reward platforms if they’re solving multiple customer problems in the same place. Of course they will all say they do this, but the reality of a PoC often quickly unveils the reality.